Subresource Integrity (SRI)
What is Subresource Integrity (SRI)?
Subresource Integrity (SRI)A browser mechanism that verifies a cryptographic hash of a script or stylesheet loaded from a third party before executing it, preventing tampered files from running.
Subresource Integrity is configured with an 'integrity' attribute on 'script' or 'link' tags, containing one or more base64-encoded SHA-256/384/512 digests of the expected file. The browser fetches the resource, recomputes the digest and refuses to execute or apply it if the hashes do not match. SRI is the primary defence against CDN compromise, hijacked third-party scripts and supply-chain attacks against client-side code such as the Magecart family. It pairs naturally with CSP and 'crossorigin' attributes and should be combined with version pinning and automated update workflows so the hash and code remain in sync.
● Examples
- 01
'<script src="https://cdn.example.com/lib.js" integrity="sha384-..." crossorigin="anonymous"></script>'.
- 02
CSP directive 'require-sri-for script style' (where supported) to enforce SRI on all subresources.
● Frequently asked questions
What is Subresource Integrity (SRI)?
A browser mechanism that verifies a cryptographic hash of a script or stylesheet loaded from a third party before executing it, preventing tampered files from running. It belongs to the Application Security category of cybersecurity.
What does Subresource Integrity (SRI) mean?
A browser mechanism that verifies a cryptographic hash of a script or stylesheet loaded from a third party before executing it, preventing tampered files from running.
How do you defend against Subresource Integrity (SRI)?
Defences for Subresource Integrity (SRI) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Subresource Integrity (SRI)?
Common alternative names include: SRI.